Generate APIKeys Key from Terraform #1168
Conversation
justinsb
force-pushed
the
generate_apikeys_apikey_from_terraform
branch
2 times, most recently
from
9989f96 to
f2e9fbd
Compare
|
/assign @maqiuyujoyce This is just going through the "legacy" terraform-backed generation process at this point. Targeting v1alpha1 because it won't yet be the quality we want. My plan is to then implement this directly using the API, to verify that it is worthwhile in terms of quality / efficient, that we can migrate existing TF resources etc etc. I do wonder if I should put this CRD into a separate directory, just so that we can delay adoption for a little longer. It is alpha though. |
justinsb
force-pushed
the
generate_apikeys_apikey_from_terraform
branch
from
9e969f3 to
ce8e4a5
Compare
There was a problem hiding this comment.
Hi @justinsb , thank you for adding the resource!
Most of the comments are questions, though I want to make sure we are on the same page before we merge the change.
There are still some process gaps to support a v1alpha1 resource, so I think we might want to make v1alpha1 resources less noticeable by customers before graduating them to beta/GA.
config/servicemappings/apikeys.yaml
Outdated
| kind: APIKeysKey | ||
| metadataMapping: | ||
| name: name | ||
| #labels: labels |
| mv google/api/serviceusage/ mockgcp/api/ | ||
|
|
||
| cd mockgcp | ||
|
|
||
| find . -type f -print0 | xargs -0 sed -i -e "s@google/iam/@mockgcp/iam/@g" | ||
| find . -type f -print0 | xargs -0 sed -i -e "s@google\[email protected]@g" | ||
|
|
||
| find . -type f -print0 | xargs -0 sed -i -e "s@google/api/apikeys/@mockgcp/api/apikeys/@g" |
There was a problem hiding this comment.
Just for self-education: Is it a required step when adding a mock API? I'm not sure if I've missed anything, but I didn't find them in the README.
There was a problem hiding this comment.
This is just when we add a new API outside of the normal google/cloud group.
However, I'll update the README!
| @@ -26,6 +26,7 @@ gen-proto: | |||
| --grpc-gateway_opt paths=source_relative \ | |||
| --experimental_allow_proto3_optional \ | |||
| ./apis/mockgcp/cloud/resourcemanager/v1/*.proto \ | |||
| ./third_party/googleapis/mockgcp/api/apikeys/v2/*.proto \ | |||
There was a problem hiding this comment.
Nit: Maybe we can add a lint/a unit test to ensure the paths are ordered alphabetically?
There was a problem hiding this comment.
We should aim to but I think it's tricky to enforce (unless you know of a suitable tool) and I don't think it changes anything at runtime.
| namespace: cnrm-system | ||
| spec: | ||
| name: APIKeys | ||
| version: v1alpha1 |
There was a problem hiding this comment.
We don't have a service level version set to v1alpha1 so there might be some rare feature gaps somewhere.
Meanwhile, we support all the other resources via autogen. So APIKeysKey configured here, I think there'll be two routes to promote a resource from alpha to beta. Feels like our code will get even more complicated.
There was a problem hiding this comment.
Well we're going to switch this one to direct actuation pretty fast, it looks like! There are some significant gaps in the terraform implementation.
mockgcp/mockapikeys/apikeysv2.go
Outdated
| @@ -0,0 +1,191 @@ | |||
| // Copyright 2023 Google LLC | |||
| @@ -32,6 +32,7 @@ var ( | |||
| "accesscontextmanager": {"accesscontextmanagerserviceperimeter"}, | |||
| "alloydb": {"fullalloydbcluster"}, | |||
| "apigee": {"apigeeenvironment"}, | |||
| "apikeys": {"apikeyskeybasic"}, | |||
There was a problem hiding this comment.
I think we may not want to add v1alpha1 resources into presubmit (and get distracted by its failures)?
There was a problem hiding this comment.
So this is needed because of TestAllServicesInMap.
I do think we want to test it because we're actively developing it, and it's an important evaluation of a new approach. The API itself is relatively old I believe, so I don't think we'll see too many service flakes.
There was a problem hiding this comment.
Sure, I'm okay with us keeping it as is. Though we may want to re-evaluate it if it adds more maintenance burden than expected.
| apiVersion: apikeys.cnrm.cloud.google.com/v1alpha1 | ||
| kind: APIKeysKey | ||
| metadata: | ||
| name: apikeyskeybasic-${uniqueId} |
There was a problem hiding this comment.
Should be name: aapikeyskey-${uniqueId}. The naming convention is [kindinlowercase]-${uniqueId}.
There was a problem hiding this comment.
Not sure I agree with this convention (we know the kind from the kind, so we get more information from [test name]-$uniqueId), but ... fixed
There was a problem hiding this comment.
Thank you for the change! And feel free to propose new naming conventions!
IIUC, our naming convention was designed like this so that it's
- easy to follow (especially when there are dependencies of different kinds),
- consistent (most of our existing testdata already follows this naming convention so it minimizes the confusion from external contributors and minimizes any cleanup work), and
- trackable in debugging (because unique IDs will be different).
There was a problem hiding this comment.
I'll gather more evidence before making a change. Once we split the output by test I think it will be a lot easier to understand each object, so I think I'll focus more on that.
| apiVersion: apikeys.cnrm.cloud.google.com/v1alpha1 | ||
| kind: APIKeysKey | ||
| metadata: | ||
| name: apikeyskeybasic-${uniqueId} |
| @@ -0,0 +1,58 @@ | |||
| {{template "headercomment.tmpl" .}} | |||
There was a problem hiding this comment.
Mhmm, maybe remove the resource doc?
We didn't add any resource doc for any autogen / v1alpha1 resources because we believe additional information about no resource quality guaranteed, no backwards compatibility support, and etc should be provided on the page, but we never get the chance to prioritize working with PM to finalize the idea.
There was a problem hiding this comment.
Removed the alpha docs. We can add them back in a separate PR, we should also make sure they are readable on github for those alpha resources - a good opportunity.
pkg/test/resourcefixture/sets.go
Outdated
| // Skip v1alpha1 CRDs when testing set cover as they may not yet be | ||
| // correctly supported. | ||
|
|
||
| // We do allowlist a few that we are hand-coding / checking. | ||
| // (Needed to get TestGetBasicTypeSetCover to pass) |
There was a problem hiding this comment.
Hmmm, can we make TestGetBasicTypeSetCover() check for v1beta1 services only?
There was a problem hiding this comment.
Changed getResourceConfigIdSet to ignore all v1alpha1 resources.
justinsb
force-pushed
the
generate_apikeys_apikey_from_terraform
branch
from
ce8e4a5 to
41aa4a5
Compare
| @@ -32,6 +32,7 @@ var ( | |||
| "accesscontextmanager": {"accesscontextmanagerserviceperimeter"}, | |||
| "alloydb": {"fullalloydbcluster"}, | |||
| "apigee": {"apigeeenvironment"}, | |||
| "apikeys": {"apikeyskeybasic"}, | |||
There was a problem hiding this comment.
Sure, I'm okay with us keeping it as is. Though we may want to re-evaluate it if it adds more maintenance burden than expected.
mockgcp/mockapikeys/apikeysv2.go
Outdated
| @@ -0,0 +1,191 @@ | |||
| // Copyright 2023 Google LLC | |||
There was a problem hiding this comment.
Thank you for the change! Not a blocker, just want to follow up a bit.
To clarify, I think the resource apikeysv2 can be a reasonable name for file: the generated pb.go file has the same name, and v2 is the version in the path, so I think automation can be possible here and it saves us a manual step.
Overall I don't have a strong preference whether it should be key.go or apikeysv2.go as long as the names are consistent under mockgcp services.
So far I've seen a few different naming conventions:
- Version name only: https://github.com/GoogleCloudPlatform/k8s-config-connector/blob/master/mockgcp/mockcertificatemanager/v1.go
- Partial resource name + version name: https://github.com/GoogleCloudPlatform/k8s-config-connector/blob/master/mockgcp/mockbilling/billingv1.go
- Plural form resource name + version name: https://github.com/GoogleCloudPlatform/k8s-config-connector/blob/master/mockgcp/mockcompute/networksv1.go
- Resource name only: https://github.com/GoogleCloudPlatform/k8s-config-connector/blob/master/mockgcp/mockedgenetwork/network.go
- Others?
Would be great if the names can be more consistent.
I'd prefer an automated name if possible, or having the version in the filename to avoid conflicts. E.g. Cloud Run API has RunService and will have two service.go.
mockgcp/mockapikeys/apikeysv2.go
Outdated
| // You can update only the `display_name`, `restrictions`, and `annotations` fields. | ||
|
|
||
| // See docs for UpdateMask | ||
| updateMask := req.GetUpdateMask() |
There was a problem hiding this comment.
Gotcha! I had the confusion (and still have a bit of it) because this seems to require the contributor to understand the logic of the API backend, and understand to what extent we need to implement the CRUD methods. Are there any detailed/actionable steps for contributors to follow when they implement the methods? Or are they just expected to do trial and error?
| apiVersion: apikeys.cnrm.cloud.google.com/v1alpha1 | ||
| kind: APIKeysKey | ||
| metadata: | ||
| name: apikeyskeybasic-${uniqueId} |
There was a problem hiding this comment.
Thank you for the change! And feel free to propose new naming conventions!
IIUC, our naming convention was designed like this so that it's
- easy to follow (especially when there are dependencies of different kinds),
- consistent (most of our existing testdata already follows this naming convention so it minimizes the confusion from external contributors and minimizes any cleanup work), and
- trackable in debugging (because unique IDs will be different).
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: justinsb, maqiuyujoyce The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
This allows us to test our scaffolded API.
Add a basic resourcefixture and sample.
We don't want docs for alpha resources - yet.
…verage Our concern is the alpha/beta stability level, rather than how it came about.
Took a while to show up, but it did show up!
Generated clients and docs
If adding a new API not under google/cloud, we may need a few new sed lines.
justinsb
force-pushed
the
generate_apikeys_apikey_from_terraform
branch
from
41aa4a5 to
25ce9b5
Compare
|
Rebased to pick up test fixes |
|
/lgtm |
google-oss-prow
bot
merged commit 2391918
into
GoogleCloudPlatform:master
Following the existing (legacy) procedure to generate an APIKeys Key resource from terraform.
Because it's coming from terraform and we intend to rework it, mark it as alpha quality until we have reworked it.